Configuring an Internet Protocol Security (IPsec) and/or a firewall security policy is inherently challenging. The main purpose of a network security policy is to lock down a device by restricting how it can be accessed. Incorrectly configuring a network security policy is very easy to do. Also, content filtering rules may change after the initial configuration, necessitating a change to the network security policy. For example, a set of filters that allows employees to access local servers might need to be updated to allow access through a Virtual Private Network (VPN) but prevent users from outside the company from accessing servers on the company's side of the firewall. Also, networks are often re-designed, and new content and new forms of viruses need to be filtered.
Devices may be unreachable due to network traffic errors, network security protocol errors, or any of a host of technical errors. Failover mechanisms, where a device may enter a failover mode after a predetermined time-out, switch control to a backup unit and reboot the failed device. A reboot, however, may not fix a security protocol error embedded in a device. Also, such failsafe mechanisms require standby or backup devices which add to the total cost of ownership.
More and more devices are being deployed headless without any I/O peripherals other than a network interface card. Therefore, even configuring an Internet Protocol address for a remote headless device is initially challenging. Loss of network access to a device can mean a trip to the remote site and/or resetting a device to factory defaults. This can mean anything from erasing the entire configuration on the device to erasing only the network security policy on the device. This however requires the user to re-configure the entire security policy when there may be only a very minor change needed to fix the problem.
Disabling the network security policy in lieu of losing access to the device means the device is accessible to everyone without any network security policy being enforced. Alternatively, a network security policy can be setup for a short temporary period of time for test prior to full installation. While this allows recovery, the user must wait out the temporary time period for full access. Devices which are unreachable over a network may initiate a failover reboot (power cycle) but may not be able to remedy a network security policy.